nix based setup

.envrc

@@ -0,0 +1 @@
+use flake

.github/workflows/audit.yaml

@@ -1,19 +0,0 @@
-name: Security audit
-
-on:
-  schedule:
-    - cron: '0 0 * * 0'
-  push:
-    paths:
-      - '**/Cargo.toml'
-      - '**/Cargo.lock'
-  pull_request:
-
-jobs:
-  audit:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v1
-      - uses: actions-rs/audit-check@v1
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ci.yaml

@@ -1,64 +1,68 @@
 on: [push, pull_request]
 
-name: Continuous integration
+name: CI
 
 jobs:
-  check:
-    name: Check
+  build:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        machine:
+          - platform: x86_64-linux
+          - platform: aarch64-linux
     steps:
-      - uses: actions/checkout@v1
-      - uses: actions-rs/toolchain@v1
+      - uses: actions/checkout@v4
+      - if: matrix.machine.platform != 'x86_64-linux'
+        uses: docker/setup-qemu-action@v3
+      - uses: cachix/install-nix-action@v26
         with:
-          profile: minimal
-          toolchain: stable
-          override: true
-      - uses: actions-rs/cargo@v1
+          extra_nix_config: |
+            extra-platforms = aarch64-linux
+      - uses: icewind1991/attic-action@v1
         with:
-          command: check
+          name: ci
+          instance: https://cache.icewind.me
+          authToken: '${{ secrets.ATTIC_TOKEN }}'
+      - run: nix build --option system ${{ matrix.machine.platform }}
 
-  test:
-    name: Test Suite
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v1
-      - uses: actions-rs/toolchain@v1
-        with:
-          profile: minimal
-          toolchain: stable
-          override: true
-      - uses: actions-rs/cargo@v1
-        with:
-          command: test
 
-  fmt:
-    name: Rustfmt
+  build-docker:
     runs-on: ubuntu-latest
+    needs: build
+    strategy:
+      matrix:
+        machine:
+          - platform: x86_64-linux
+          - platform: aarch64-linux
     steps:
-      - uses: actions/checkout@v1
-      - uses: actions-rs/toolchain@v1
+      - uses: actions/checkout@v4
+      - if: matrix.machine.platform != 'x86_64-linux'
+        uses: docker/setup-qemu-action@v3
+      - uses: cachix/install-nix-action@v26
         with:
-          profile: minimal
-          toolchain: stable
-          override: true
-      - run: rustup component add rustfmt
-      - uses: actions-rs/cargo@v1
+          extra_nix_config: |
+            extra-platforms = aarch64-linux
+      - uses: icewind1991/attic-action@v1
         with:
-          command: fmt
-          args: --all -- --check
+          name: ci
+          instance: https://cache.icewind.me
+          authToken: '${{ secrets.ATTIC_TOKEN }}'
+      - run: nix build --option system ${{ matrix.machine.platform }} .#docker
 
-  clippy:
-    name: Clippy
+  docker:
     runs-on: ubuntu-latest
+    needs: [build-docker]
     steps:
-      - uses: actions/checkout@v1
-      - uses: actions-rs/toolchain@v1
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - uses: cachix/install-nix-action@v26
+      - uses: icewind1991/attic-action@v1
         with:
-          profile: minimal
-          toolchain: stable
-          override: true
-      - run: rustup component add clippy
-      - uses: actions-rs/cargo@v1
-        with:
-          command: clippy
-          args: -- -D warnings
+          name: ci
+          instance: https://cache.icewind.me
+      - run: nix run .#dockerManifest
+        if: github.ref == 'refs/heads/master'
+        env:
+          VERSION: "1.0.0"
+          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}

.github/workflows/docker.yaml

@@ -1,29 +0,0 @@
-name: docker-build
-
-on:
-  push:
-    branches:
-      - 'master'
-      - 'main'
-  repository_dispatch:
-    types: [ build ]
-
-jobs:
-  docker:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: Login to DockerHub
-        uses: docker/login-action@v1
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Build and push
-        id: docker_build
-        uses: docker/build-push-action@v2
-        with:
-          push: true
-          tags: demostf/sync:latest
-      - name: Image digest
-        run: echo ${{ steps.docker_build.outputs.digest }}

.gitignore

@@ -1,2 +1,4 @@
 .idea
 target
+result
+.direnv

Dockerfile

@@ -1,22 +0,0 @@
-FROM ekidd/rust-musl-builder AS build
-
-COPY Cargo.toml Cargo.lock ./
-
-# Build with a dummy main to pre-build dependencies
-RUN mkdir src && \
- sudo chown -R rust:rust . && \
- echo "fn main(){}" > src/main.rs && \
- cargo build --release && \
- rm -r src
-
-COPY src/ ./src/
-RUN sudo chown -R rust:rust . && touch src/main.rs
-
-RUN cargo build --release
-
-FROM scratch
-
-COPY --from=build /home/rust/src/target/x86_64-unknown-linux-musl/release/sync /
-EXPOSE 80
-
-CMD ["/sync"]

Makefile

@@ -1,7 +0,0 @@
-all: target/x86_64-unknown-linux-musl/release/sync
-
-target/x86_64-unknown-linux-musl/release/sync: Cargo.toml src/main.rs
-	docker run --rm -it -v "$(CURDIR):/home/rust/src" ekidd/rust-musl-builder cargo build --release
-
-docker: target/x86_64-unknown-linux-musl/release/sync Dockerfile
-	docker build --no-cache -t demostf/sync-rs .

docker.nix

@@ -0,0 +1,19 @@
+{
+  dockerTools,
+  demostf-sync,
+}:
+dockerTools.buildLayeredImage {
+  name = "demostf/sync";
+  tag = "latest";
+  maxLayers = 5;
+  contents = [
+    demostf-sync
+    dockerTools.caCertificates
+  ];
+  config = {
+    Cmd = ["sync"];
+    ExposedPorts = {
+      "80/tcp" = {};
+    };
+  };
+}

flake.lock

@@ -0,0 +1,135 @@
+{
+  "nodes": {
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": "nixpkgs-lib"
+      },
+      "locked": {
+        "lastModified": 1701473968,
+        "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flocken": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1704105102,
+        "narHash": "sha256-c4VWO9plhINjQzYPHSKURWgQ2D2q24aI3OIN0MTPjz0=",
+        "owner": "mirkolenz",
+        "repo": "flocken",
+        "rev": "3a846dfca17f989805d9f4177de85c96dc0f8542",
+        "type": "github"
+      },
+      "original": {
+        "owner": "mirkolenz",
+        "ref": "v2",
+        "repo": "flocken",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1710695816,
+        "narHash": "sha256-3Eh7fhEID17pv9ZxrPwCLfqXnYP006RKzSs0JptsN84=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "614b4613980a522ba49f0d194531beddbb7220d3",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "release-23.11",
+        "type": "indirect"
+      }
+    },
+    "nixpkgs-lib": {
+      "locked": {
+        "dir": "lib",
+        "lastModified": 1701253981,
+        "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
+        "type": "github"
+      },
+      "original": {
+        "dir": "lib",
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flocken": "flocken",
+        "nixpkgs": "nixpkgs",
+        "utils": "utils"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "utils": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,64 @@
+{
+  inputs = {
+    utils.url = "github:numtide/flake-utils";
+    nixpkgs.url = "nixpkgs/release-23.11";
+    flocken = {
+      url = "github:mirkolenz/flocken/v2";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = {
+    self,
+    nixpkgs,
+    utils,
+    flocken,
+  }:
+    utils.lib.eachDefaultSystem (system: let
+      overlays = [
+        (import ./overlay.nix)
+      ];
+      pkgs = (import nixpkgs) {
+        inherit system overlays;
+      };
+      inherit (flocken.legacyPackages.${system}) mkDockerManifest;
+      inherit (builtins) fromTOML readFile;
+      version = (fromTOML (readFile ./Cargo.toml)).package.version;
+    in rec {
+      packages = rec {
+        sync = pkgs.demostf-sync;
+        docker = pkgs.demostf-sync-docker;
+        default = sync;
+
+        dockerManifest = mkDockerManifest {
+          tags = ["latest"];
+          registries = {
+            "docker.io" = {
+              enable = true;
+              repo = "demostf/sync";
+              username = "$DOCKERHUB_USERNAME";
+              password = "$DOCKERHUB_TOKEN";
+            };
+          };
+          inherit version;
+          images = with self.packages; [x86_64-linux.docker aarch64-linux.docker];
+        };
+      };
+      devShells.default = pkgs.mkShell {
+        OPENSSL_NO_VENDOR = 1;
+
+        nativeBuildInputs = with pkgs; [
+          cargo
+          rustc
+          bacon
+          cargo-edit
+          cargo-outdated
+          clippy
+          cargo-audit
+          cargo-watch
+          pkg-config
+          openssl
+        ];
+      };
+    });
+}

overlay.nix

@@ -0,0 +1,4 @@
+prev: final: {
+  demostf-sync = final.callPackage ./package.nix {};
+  demostf-sync-docker = final.callPackage ./docker.nix {};
+}

package.nix

@@ -0,0 +1,25 @@
+{
+  stdenv,
+  rustPlatform,
+  lib,
+  pkg-config,
+  openssl,
+}: let
+  inherit (lib.sources) sourceByRegex;
+  inherit (builtins) fromTOML readFile;
+  src = sourceByRegex ./. ["Cargo.*" "(src|build|images|script|style|.sqlx)(/.*)?"];
+  version = (fromTOML (readFile ./Cargo.toml)).package.version;
+in
+  rustPlatform.buildRustPackage rec {
+    pname = "demostf-sync";
+
+    inherit src version;
+
+    buildInputs = [openssl];
+
+    nativeBuildInputs = [pkg-config];
+
+    cargoLock = {
+      lockFile = ./Cargo.lock;
+    };
+  }